Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
2
Replies

Vlan 1 Security

jabercromby
Level 1
Level 1

‎08-03-2009 09:51 AM - edited ‎03-06-2019 07:04 AM

If you have your vtp domain set to NULL

and have all the switches in the switch fabric/enterprise

configured for transparent mode.

This takes care of really worrying about vtp prunage/pruning

right or wrong?

But with dot1q encap you will still have the vlan 1 traffic

traversing the trunks......

Unless

switchport mode trunk remove vlan1

Is this correct???

Or all wrong?

Additionally lets say you have created an configured

a vlan and it's respective SVI as opposed to using

vlan 1 for MGT.

You have also gone out of your way to ensure that

interface Vlan1 on all switch SVIs do not have ip addresses

configured and they are shut down.

If you have physical switchports/ports on these switches

that DO NOT have a specific vlan MEMBERSHIP via the

"switchport access vlan" command then they default to

1.

right/wrong?

Same goes for trunk ports if you DO NOT specific the

native vlan?

I am just trying to keep this all straight.

The one thing I have never had conclusive answers for is

can you somehow change the DEFAULT VLAN to something

other than Vlan 1 in global config or something?

You can obviously take care of Vlan 1 at layer 3

on devices by disabling/de-configuring it if you will but

can you really do anything about it at Layer 2?

Thats all I got.

Respectfully

Jim Abercromby

CCNP

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎08-03-2009 09:58 AM

Jim

You cannot remove vlan 1 from a trunk link. It is still used for certain Cisco management protocols whether you shut the interface down or not.

Physical switchports not allocated to any specific vlan will indeed default to vlan 1.

Native vlan is by default vlan 1 unless you change it.

"The one thing I have never had conclusive answers for is

can you somehow change the DEFAULT VLAN to something

other than Vlan 1 in global config or something?"

No you can't. You can change the native vlan, the mgmt vlan etc.. but vlan 1 is still the default vlan.

You can basically make sure you don't use vlan 1 for anyhting ie. as a native vlan, to manage the switches, for user ports ie.

use separate vlan for mgmt

use separate vlan for unused switchports

use different vlan for native vlan.

This paper also contains some good advice on vlan 1 precautions -

https://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Jon

0 Helpful

jabercromby
Level 1
Level 1
In response to Jon Marshall

‎08-03-2009 10:05 AM

Jon,

Thanks for the quick turn around.

Just wanted to make sure I was covering all my bases and

I am.

I have been reading that paper, nsa guides and the disa stigs.

Its just frustrating that you literally cannot change it at all.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card